S_admi_fcd , s_cts_admi
Hi all,
S_ADMI_FCD and S_CTS_ADMI are critical transaction codes. They are inserted in a role and has complete authorizations ( i.e '*' for all the fields) but the role is not assinged any T-codes. Since the role does not have any tcodes , Is it ok to have like this or is it against audit policies.
Thanks.
Neha
> S_ADMI_FCD and S_CTS_ADMI are critical transaction codes.
These are Not TCode. These are Authorization Objects and of course critical. For more details, please go through the documenation of them in SU21 under BC_A objects class.
They are inserted in a role and has complete authorizations ( i.e '*' for all the fields) but the role is not assinged any T-codes. Since the role does not have any tcodes , Is it ok to have like this or is it against audit policies.
>
It's of course get importance to the auditors in production system if you assign the values as you told. But more critical scenario appears if this role is assigned to an user having access to this Objects through any other role.
Regards,
Dipanjan
Similar Messages
-
S_CTS_ADMI Authorization issue
Hi Experts,
Every now and again a user sends me a SU53 with the error requesting access to S_CTS_ADMI field TABL. The user of this morning is trying to release a purchase order using transaction ME29N. Why would the SU53 indicate that the user want to maintain the control tables of the Change and Transport System in Production when they are trying to release a purchase order? I am running a trace ST01 but it's not helping.
Could you please help me to resolve issue.
Thanks
PavelHi
Gowri is perfectly ok. Below Objects checked.
M_BEST_BSA
M_BEST_EKG
M_BEST_EKO
M_BEST_WRK
Along with that M_EINK_FRG also get checked.
Check for access to all of the above Objects in user master records. Before that check with MM team to get these values of the PO that the approver is trying to release.
1) Document Type : Relate with M_BEST_BSA
2) Purchasing Group : Relate to M_BEST_EKG
3) Purchasing Organization : Relate to M_BEST_EKO
4) Plant : Relate to M_BEST_WRK
5) Release code & release Group : Relate to Object M_EINK_FRG
You also can get these information through ME23N
If all of the above matches with user master record and PO then there is no further authorization issue. Rest on MM team !!!!!
Best of luck...
Arpan -
How can I revoke S_CTS_ADMI from some users?
Hi all,
I want to revoke the authorization object S_CTS_ADMI from some users. In our environment, this authorization object is under T-D15000451 profile.
Which transactions/steps are envolved to accomplish this?
Thanks
Fabio NeukirchenHi,
In the Command field enter T-Code PFCG click on Enter
In the next screen you will be prompted with role
Enter the role name CONSULTOR_ABAP_ESPECIAL
Click on change icon button (pencil icon on the right to the role name)
In the next screen you will be displayed with multiple TABS (Descripton, Menu, Authorization, Users ....)
Click on the Authorization TAB
You will have two options
Click on
Change Authorization Data (pencil icon )
In the next screen you will have list of Objects and Objects class... etc..
Click on Search (Binoclar icon) or (CTRL + F)
You will prompoted with pop-up window
with follwoing options
Authorization object
or object text
Enter the Object Name (i.e S_CTS_ADMI ) in the Authorization Object field.
Click on find button.
If the techinical names are not on.
Click on Utilities on Menu
In the drop down list you will find option of techinical names on (click on this)
You will be displayed with objects as follows
Administration Functions in the Change and Transport System S_CTS_ADMI
Administration tasks for Chang (with some values here like EPS1, EPS2, IMP*, PROJ) CTS_ADMFC
Double click on this you will be prompted with pop-up to change values (do the necessary chages here and save)
Once saved Generate the profile by clicking on authorization tab on menu you will have a drop down list in that list you will have option of generate click on it or (shift + F5)
Once generated click on Back button (or F3)
In the next screen do the user comparsion in the USER TAB
I hope this is clear
If you need further help or if you are struck any where let me know I will help you in that contex.
Cheers
Soma -
Hi All,
I have one problem with object S_CTS_ADMI. The user was able to display data from all plants in SAP through ME3L, now user cannot display any data at all. It is asking for TABL (Administration tasks for change and transport.) please assist me in this regards,
<removed_by_moderator>
Many thanks,
Pravin.
Edited by: Julius Bussche on Aug 13, 2008 11:18 AMS_CTS_ADMI value TABL appearing in SU53 and ST01 is a product feature which you will learn to live with by simply ignoring it in almost all cases.
Cheers,
Julius
PS: Most of us, and we try to encourage it.... do not participate here for "good score". We do it for "good knowledge", "good community", "good fun" and it is for free (though sometimes also (indirectly only) "good money" might be a knock-on-effect). Please read the rest of [the rules|https://www.sdn.sap.com/irj/sdn/wiki?path=/display/home/rulesofEngagement] as well. Happy posting
Edited by: Julius Bussche on Aug 13, 2008 11:19 AM -
SMT1 creating trusted system error No authorization for object S_ADMI_FCD
SMT1 creating trusted system gives error No authorization for object S_ADMI_FCD even after giving authorizations in both the system. Was not able find the issue by debugging.
Thanks and appreciate your response.
Betcy
Moderator message: not directly related to ABAP development, please have a look in the SAP Netweaver or Security forums.
Edited by: Thomas Zloch on Jan 26, 2012 10:37 PMHi,
Have you tried assigning authorizations to the id from which you are creating trusted system?
If no, please do it and check.
Also check in SU53 after getting the authorization error.
Also check the connection between two systems in SM59.
Cheers,
Raja.D -
Restrict the user based on document type on migo transaction-prepare GRN
Hi,
We are running ECC6.0 R/3 system.We had a requirement as follows
In MIGO transaction , we want to restrict the user on document type i.e. we want that a particular user can prepare GRN for document type STO only. He cannot prepare GRN for other document type.
We checked SU24->maintain check indicators for transaction codes->enter migo->execute->check indicator.This returned us the authorisation objects present in Migo transaction.We checked the help of all these objects,but none of them we found suitable for above mentioned requirement.We were planning to find out the proper authorisation object to add to Profile generater.
The following is the objects which we have checked for.
A_B_ANLKL--> Asset Postings: Company Code/Asset Class
A_B_BWART--> Asset Postings: Asset Class/Transaction Type
B_USERSTAT--> Status Management: Set/Delete User Status
B_USERST_T--> Status Management: Set/Delete User Status using Process
C_AFKO_AWK--> CIM: Plant for order type of order
C_CACL_DSG--> Interface Design
C_DRAW_BGR--> Authorization for authorization groups
C_DRAW_DOK--> Authorization for document access
C_DRAW_TCD--> Authorization for document activities
C_DRAW_TCS--> Status-Dependent Authorizations for Documents
C_KLAH_BKP--> Authorization for Class Maintenance
C_STUE_BER--> CS BOM Authorizations
C_STUE_WRK--> CS BOM Plant (Plant Assignments)
C_TCLA_BKA--> Authorization for Class Types
C_TCLS_BER--> Authorization for Org. Areas in Classification System
C_TCLS_MNT--> Authorization for Characteristics of Org. Area
F_BKPF_BUK--> Accounting Document: Authorization for Company Codes
F_BKPF_BUP--> Accounting Document: Authorization for Posting Periods
F_BKPF_KOA--> Accounting Document: Authorization for Account Types
F_FICA_FOG--> Funds Management: authorization group of fund
F_FICA_FSG--> Funds Management: authorization group for the funds center
F_FICB_FKR--> Cash Budget Management/Funds Management FM Area
F_KNA1_APP--> Customer: Application Authorization
F_LFA1_APP--> Vendor: Application Authorization
F_SKA1_BUK--> G/L Account: Authorization for Company Codes
G_GLTP --> Spec. Purpose Ledger Database (Ledger, Record Type,
Version)
J_1IDEP_SL--> Authorization object for depot sale transaction
J_1IEXC_OT--> Authorization object for Other Excise Invoice Create
J_1IEX_PST--> Autorization object for posting Other Excise invoice
J_1IGRPT1--> Auth. for PART1 at GR
J_1IINEX --> Incoming Excise Invoice
J_1IRG23D--> Authorisation object for Depo Transactions
K_CCA--> CO-CCA: Gen. Authorization Object for Cost Center
Accounting
K_CSKS --> CO-CCA: Cost Center Master
K_CSKS_SET--> CO-CCA: Cost Center Groups
K_PCA--> EC-PCA: Responsibility Area, Profit Center
L_TCODE--> Transaction Codes in the Warehouse Management System
M_ANFR_BSA--> Document Type in RFQ
M_ANFR_EKG--> Purchasing Group in RFQ
M_ANFR_EKO--> Purchasing Organization in RFQ
M_ANFR_WRK--> Plant in RFQ
M_BEST_BSA--> Document Type in Purchase Order
M_BEST_EKG--> Purchasing Group in Purchase Order
M_BEST_EKO--> Purchasing Organization in Purchase Order
M_BEST_WRK--> Plant in Purchase Order
M_MATE_CHG--> Material Master: Batches/Trading Units
M_MATE_STA--> Material Master: Maintenance Statuses
M_MATE_WRK--> Material Master: Plants
M_MRES_BWA--> Reservations: Movement Type
M_MRES_WWA--> Reservations: Plant
M_MSEG_BMB -->Material Documents: Movement Type
M_MSEG_BWA--> Goods Movements: Movement Type
M_MSEG_BWE--> Goods Receipt for Purchase Order: Movement Type
M_MSEG_BWF--> Goods Receipt for Production Order: Movement Type
M_MSEG_LGO--> Goods Movements: Storage Location
M_MSEG_WMB--> Material Documents: Plant
M_MSEG_WWA--> Goods Movements: Plant
M_MSEG_WWE--> Goods Receipt for Purchase Order: Plant
M_MSEG_WWF--> Goods Receipt for Production Order: Plant
M_RAHM_BSA--> Document Type in Outline Agreement
M_RAHM_EKG--> Purchasing Group in Outline Agreement
M_RAHM_EKO--> Purchasing Organization in Outline Agreement
M_RAHM_WRK--> Plant in Outline Agreement
Q_TCODE QM --> Transaction Authorization
S_ADMI_FCD--> System Authorizations
S_ALV_LAYO--> ALV Standard Layout
S_BDS_DS--> BC-SRV-KPR-BDS: Authorizations for Document Set
S_BTCH_ADM--> Background Processing: Background Administrator
S_BTCH_JOB--> Background Processing: Operations on Background Jobs
S_CTS_ADMI--> Administration Functions in Change and Transport System
S_DATASET--> Authorization for file access
S_DEVELOP--> ABAP Workbench
S_DOKU_AUT--> SE61 Documentation Maintenance Authorization
S_GUI--> Authorization for GUI activities
S_OC_DOC--> SAPoffice: Authorization for an Activity with Documents
S_OC_ROLE--> SAPoffice: Office User Attribute
S_OC_SEND--> Authorization Object for Sending
S_PACKSTRU--> Internal SAP Use: Package Structure
S_PRO_AUTH--> IMG: New authorizations for projects
S_RFC--> Authorization Check for RFC Access
S_SCD0 --> Change documents
S_SPO_DEV--> Spool: Device authorizations
S_TABU_DIS--> Table Maintenance (via standard tools such as SM30)
S_TCODE --> Transaction Code Check at Transaction Start
S_TRANSLAT--> Translation environment authorization object
S_TRANSPRT--> Transport Organizer
S_WFAR_OBJ--> ArchiveLink: Authorizations for access to documents
V_LIKP_VST-->Delivery: Authorization for Shipping Points
V_VBAK_AAT-->Sales Document: Authorization for Sales Document Types
V_VBAK_VKO-->Sales Document: Authorization for Sales AreasHave you executed a trace while a functional user executes the transaction code for the specific parameters? (i.e. document type). The trace will then show which objects are being checked; then look at the object documentation in txn Su21 to determine if there are any ways to restrict on the particular value; in some cases, if the authorization group field is being checked, additional configuration is needed in order to implement the security (Su21 will explain in detail for the particular object).
-
ME5A transaction is giving ABAP dump
Dear Mentors
User While executing ME5A transaction, ABAP run time error is coming
error details
ABAP runtime error :SAPSQL_PARSE_ERROR
exception : CX_SY_DYNAMIC_OSQL_SYNTAX
Function : ME_READ_EBAN_MULTIPLE
Our system details
SAP_APPL 617 SP 1
we applied sap notes
0001855828
0001856538
authorization objects for that user
M_BANF_BSA
M_BANF_EKG
M_BANF_EKO
M_BANF_FRG
M_BANF_WRK
M_BEST_BSA
M_BEST_EKG
M_BEST_EKO
M_BEST_WRK
M_EINK_FRG
S_ADMI_FCD
S_ALV_LAYO
S_ALV_LAYR
S_BDS_DS
S_CTS_ADMI
S_CTS_SADM
S_DEVELOP
S_GUI
S_SPO_ACT
S_SPO_DEV
S_SPO_PAGE
S_TCODE
Please find attachments for more details
Thanks
regards
Sudheer kHi,
Do refer the below OSS Note, this error is caused due to internal authorization check in,
method : CL_AUTHCHECK_SQL_MM
This Note includes latest correction for your ABAP Dump from release 616 and 617 which was released in 27.01.2014.
1872223 - Correction WHERE clause CL_AUTHCHECK_SQL_MM
Rgds,
MBPATIL -
How can I create only SPRO view role?
Hello,
On my production server I want to create a role for SPRO view. How it is possible?
Please help me
regards
KariyathHello Kariyath,
Please check this thread for this purpose:
Re: Transaction List in SPRO
This thread allows you to have all transactions in SPRO in a role.
Next you need to change activities to 03. Make sure you remove authorization objects like s_admi_fcd,s_btch_nam,s_cts_admi etc from this role.
regards.
ruchit. -
Authorization Issues - Apple, please help
There have been several posts regarding users not being able to play their iTunes music due to authorization issues. Solutions have been provided, including the following:
1. Deauthorizing the account several times until the following message appears "This computer was not authorized. To authorize this computer, to play a song or video you have purchased using this account."
2. Deleting the "SC info" folder.
3. Authorizing the music using the original account (File > Get Info).
Nothing seems to be working. I've contacted Apple support, and they have been more than responsive and helpful, but they keep asking me to do the same things over, and over.
Everytime I enter my account authorization info, I get a message indicating that the computer is now authorized...however, the music still won't play.
I have now gone 3 months without being able to solve this issue (I've tried everything in the forums), and I am about to give up. Unfortunately, this also means flushing over $300 down the toilet. I still have all the files, so I am not asking to download them again (they are on my hard drive). I just want a fix...Hi,
For the BW consultant use the following objects :
B_ALE_MAST
S_ADMI_FCD
S_APPL_LOG
S_ARCHIVE
S_BDS_DS
S_BTCH_ADM
S_BTCH_JOB
S_BTCH_NAM
S_CTS_ADMI
S_C_FUNCT
S_DATASET
S_DEVELOP
S_DOKU_AUT
S_FIELDSEL
S_FOBU_MTH
S_GUI
S_IDOCCTRL
S_IDOCDEFT
S_IDOCMONI
S_IDOCPART
S_IDOCPORT
S_LDAP
S_LOG_COM
S_OC_DOC
S_OC_FOLCR
S_OC_ROLE
S_OC_SEND
S_OC_TCD
S_PROGRAM
S_PROJECT
S_QUERY
S_RFC
S_RS_ADMWB
S_RS_COMP
S_RS_FOLD
S_RS_HIER
S_RS_ICUBE
S_RS_IOBJ
S_RS_IOMAD
S_RS_ISET
S_RS_ISOUR
S_RS_ISRCM
S_RS_MPRO
S_RS_ODSO
S_RZL_ADM
S_SCD0
S_SCRP_ACT
S_SCRP_FRM
S_SCRP_GRA
S_SCRP_STY
S_SCRP_TXT
S_SPO_ACT
S_SPO_DEV
S_SPO_PAGE
S_TABU_CLI
S_TABU_DIS
S_TABU_RFC
S_TCODE
S_TMS_ACT
S_TOOLS_EX
S_TRANSLAT
S_TRANSPRT
S_TWB
S_USER_AGR
S_USER_AUT
S_USER_GRP
S_USER_PRO
S_USER_TCD
S_USER_VAL
S_WFAR_OBJ
S_WFAR_PRI
For users :
S_ADMI_FCD
S_BDS_D
S_BDS_DS
S_GUI
S_OLE_CALL
S_RFC
S_RS_COMP1
S_RS_FOLD
S_RS_HIER
S_RS_ICUBE
S_RS_ISET
S_RS_ODSO
S_SPO_DEV
S_TCODE
S_USER_AGR
You also need to give the end user objects to the BW consultant. All of these objects have activities and values that need to be populated.
Cheers,
Kedar -
Authorizations for background user
Hi everyone,
Is it ok to assign the user(system user) sap_all profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program in the background job.
Thanks.
Neha.> Is it ok to assign the user(system user) sap_all profile under whom a background job runs. Is it against the security audit policies. or should we assing only those authorzatons that are required to run the program in the background job.
>
Hi Neha,
You don't need to provide SAP_ALL for any system user id for daily Business you create. And of course it is against Audit policies to provide such access to Background user. This user id should be of type System.
The authorizations for such user ids should be:
SBTCH_NAM Background Processing: Background User Name_
BTCUNAME = <respestive user name that are going to be authorized for Batch Job execution>
SBTCH_JOB Background Processing: Operations on Background Jobs_
JOBACTION = *
JOBGROUP = *
S_BTCH_ADM Background Processing: Background Administrator
This is required for the administrator administering background Jobs.
Also check the following note: Note 101146 - [Batch: authorization object S_BTCH_JOB, S_BTCH_NAM|https://service.sap.com/sap/support/notes/101146]
Also the user needs access to following Authorizations:
S_ADMI_FCD System Authorizations
S_CTS_ADMI Administration Functions in the Change and Transport System
S_LOG_COM Authorization to execute logical operating system commands
S_RZL_ADM CCMS: System Administration
Regards,
Dipanjan
Edited by: Dipanjan Sanpui on Jul 9, 2009 2:21 PM -
Hi Everyone,
Is it possible to control tab access using security in FB00 (Accounting Editing Options)?
We need some super users to have access to all tabs and most of the other end users to have access to very few tabs within FB00.
Thanks
VPThanks, GP.
I didn't try trace yet. However, looking at SU24, I see only the following Auth. Objects can be verified from transaction FB00.
F_BPKF_BUK
S_ADMI_FCD
S_BTCH_ADMI
S_CTS_ADMI
S_DATASET
S_DEVELOP
S_DOKU_AUT
S_GUI
S_OLE_CALL
S_PACKSTRU
S_RFC
S_SPO_DEV
S_TABU_DIS
S_TCODE
S_TRANSLAT
S_TRANSPRT
None of these objects are relevant to any tab controls.
Regards,
VP -
Object level checking for some of the basis tcodes(internal audit)
Hi masters,
in our company every month we check access controls for some of basis tcodes,i am giving it below,is the selection for Tcode and object level values combinations are correct or is there any modifications please notify.
Tcodes Imp Auth Objects Auth fields Auth values
SCC1 S_CLNT_IMP Actvt 21,60
S_TABU_CLI CLIIDMAINT X
SCC4 S_TABU_CLI CLIIDMAINT X
S_TABU_DIS Authorization Group *
Actvt 01,02
SCC5 S_CLNT_IMP Actvt 21,60
S_TABU_CLI CLIIDMAINT X
SCC7 S_TRANSPRT Request type *
Actvt 43,60,75
S_CLNT_IMP Actvt 21,60
SCC8 S_DATASET PROGRAM *
Actvt 06,34,A7
S_TRANSPRT Request type *
Actvt 43,60,75
SCC9 S_TABU_CLI CLIIDMAINT X
S_CLNT_IMP Actvt 21,60
SCCL S_TABU_CLI CLIIDMAINT X
S_CLNT_IMP Actvt 21,60
SCU0 S_TABU_DIS Authorization Group SS
Actvt 01,02
S_TABU_RFC Actvt 3
OBR1
SM01 S_ADMI_FCD TLCK
SM04 S_ADMI_FCD PADM
SM12 S_ENQUE S_ENQ_ACT DPFU,DLOU
SM13 S_ADMI_FCD UADM,UMON
SM50 S_ADMI_FCD PADM
SM54 S_ADMI_FCD NADM
SM55 S_ADMI_FCD NADM
SM56
SM59 S_ADMI_FCD NADM
RFCA
SMLT S_LANG_ADM Actvt 02,16,61
Table *
SPAD S_SPO_DEV SPODEVICE *
SP01 S_SPO_DEV SPODEVICE *
S_ADMI_FCD SP01,SP0R
ST01 S_ADMI_FCD ST0M,ST0R
ST05 S_ADMI_FCD ST0M,ST0R
RZ04 S_RZL_ADM Actvt 1
RZ06 S_RZL_ADM Actvt 1
RZ10 S_RZL_ADM Actvt 1
RZ21 S_RZL_ADM Actvt 1
S_BTCH_JOB JOBGROUP *
JOBACTION DELE,RELE
SM49 S_LOG_COM Command *
Opsystem *
Host *
S_RZL_ADM Actvt 1
SM69 S_RZL_ADM Actvt 1
SM63 S_RZL_ADM Actvt 1
SMLG S_RZL_ADM Actvt 1
SE16 S_TABU_DIS Authorization Group *
Actvt 01,02
SM30 S_TABU_DIS Authorization Group *
Actvt 01,02
SM31 S_TABU_DIS Authorization Group *
Actvt 01,02
SPRO S_PROJECT PROJECT_ID *
APPL_COMP *
PROJ_CONF *
Actvt 02,06
S_DOKU_AUT DOKU_ACT MAINTAIN
DOKU_DEVCL *
DOKU_MODE *
SPRO_ADMIN S_PROJECTS APPL_COMP *
PRCLASS *
Actvt 01,70
S_PROJECT PROJECT_ID *
APPL_COMP *
PROJ_CONF *
Actvt 02,06
PFCG S_USER_AGR ACT_GROUP *
Actvt 01,02
S_USER_PRO Actvt 01,02
PROFILE *
SM19 S_ADMI_FCD AUDA,AUDD
SU01 S_USER_AGR *
01,02
S_USER_GRP Class *
Actvt 01,02
SU02 S_USER_PRO Profile *
Actvt 01,02
SU03 S_USER_AUT OBJECT *
AUTH *
Actvt 01,02
S_USER_PRO Profile *
Actvt 01,02
SU05
SU10 S_USER_GRP Class *
Actvt 01,02
SU12 S_USER_GRP Class *
Actvt 01,02
SU20 S_DEVELOP DevClass *
ObjectType SUSO
ObjectName *
P_Group *
Actvt 01,02
SU21 S_DEVELOP DevClass *
ObjectType SUSO
ObjectName *
P_Group *
Actvt 01,02
SU22 S_DEVELOP DevClass *
ObjectType SUST
ObjectName *
P_Group *
Actvt 01,02
CMOD S_DEVELOP DevClass *
ObjectType CMOD
ObjectName *
P_Group *
Actvt 01,02
SA38 S_PROGRAM P_Action SUBMIT,BTCSUBMIT
P_Group *
SD11 S_DEVELOP DevClass T,Y,Z*
ObjectType UDMO,UENO
ObjectName *
P_Group *
Actvt 01,02
SE11 S_DEVELOP DevClass T,Y,Z*
ObjectType DOMA,DTEL.ENQU
ObjectName *
P_Group *
Actvt 01,02
SE12 S_DEVELOP DevClass T,Y,Z*
ObjectType DOMA,DTEL.ENQU
ObjectName *
P_Group *
Actvt 01,02
SE13
SE14 S_DEVELOP DevClass T,Y,Z*
ObjectType INDX.MCID,TABL
ObjectName *
P_Group *
Actvt 01,02
SE15 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 3
SE37
SE38 S_DEVELOP DevClass T,Y,Z*
ObjectType FUGR,PROG
ObjectName *
P_Group *
Actvt 01,02
SE93 S_DEVELOP DevClass T,Y,Z*
ObjectType TRAN
ObjectName *
P_Group *
Actvt 01,02
SE41 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE43 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 3
SE43N S_DEVELOP DevClass '
ObjectType '
ObjectName '
P_Group '
Actvt 01,02
SE51 S_DEVELOP DevClass T,Y,Z*
ObjectType FUGR,PROG,DYNP
ObjectName *
P_Group *
Actvt 01,02
SE80 S_DEVELOP DevClass T,Y,Z*
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE81 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE82 S_DEVELOP DevClass Y,Z
ObjectType APPLTREE
ObjectName *
P_Group *
Actvt 01,02
SE91
SE92
SE92N
SNRO S_NUMBER NROBJ *
Actvt 02,17,11
SQ00 S_QUERY Actvt 02,23
SQ01 S_QUERY Actvt 02,23
SQ02 S_QUERY Actvt 02,23
SQ03 S_QUERY Actvt 23
SQVI
SM35 S_BDC_MONI BDCAKTI ABTC,AONL,DELE
SM35P S_BDC_MONI BDCAKTI ANAL
SM36 S_BTCH_ADM BTCADMIN Y
SM37 S_BTCH_JOB Jobaction PROT,SHOW
Jobgroup *
SM39
SM62
SM64 S_BTCH_ADM BTCADMIN Y
SE01 S_CTS_ADMI CTS_ADMFCT EPS1,EPS2,PROJ
S_TRANSPRT Actvt *
Ttype *
SE06 S_C_FUNCT PROGRAM SAPLSTRF,SAPLSTRI
CFUNCNAME SYSTEM
ACTVT 16
S_TRANSPRT Actvt 43,60,65
Ttype *
SE09 S_TRANSPRT Actvt 43,60,65
Ttype *
S_CTS_ADMI CTS_ADMFCT EPS1,EPS2,PROJ
SE10 S_TRANSPRT Actvt 43,60,65
Ttype *
S_CTS_ADMI CTS_ADMFCT *
SPAM S_CTS_ADMI CTS_ADMFCT IMPA,IMPS
S_TRANSPRT Actvt 43,60,65
Ttype PATC,PIEC
STMS S_CTS_ADMI CTS_ADMFCT *
S_RFC Actvt 16
RFC_NAME EPSF,STPA
RFC_TYPE FUGR
Edited by: rameshbabu muddana on Mar 2, 2009 10:56 AMhi,thanks for reply "you should not care about the transaction start s_tcode at all - only check the object required"
It has made manditory policy to check for users and roles every month with given criteria of Tcode and object,now i have been given the task to check the combination of Tcode and object value combination are correct or not,please validate the combinations and suggest,we are using ECC 5.0,i had gone through wild card use (#) when we check in SUIM,i am getting confused that when i give # followed by value, data i am getting different from without #.please provide an example for SE16 with S_TABU_DIS
how to check?
i am checking in this way
S_TCODE SE16
S_TABU_DIS
Activity
Value 01or 02
Authorization Group
Value #&NC& -
Hi
I have development environment and i would like to give Developer SAP_ALL without SU01( ability to create user) ability. Can anyone please let me know how could i do modify SAP_ALL and delete SU01 from it.
ThanksWell,
since I am facing somewhat same issue at current customer I did search the whole forum...and still no real concrete answer found anywhere...therefore I did create a new role, with import of Full authorisation on the authorisation tab page using Menu >>GotO>> Insert Authorisations>>Full Authorisation.
Next, I limited most critical objects I knew and found back in forum:
Cross Application AAAB S_RFC_ADM relevant for SM59 and remote Function Modules based on destination
Basis: Development BC_C S_DEVELOP Using this object, you can assign access authorizations for all the workbench components
Basis: Administration BC_A S_ADMI_FCD This authorization object checks access to several Basis functions, for example, spool administration and monitoring.
Basis: Development BC_C S_TRANSPRT Authorization object for the Transport Organizer
Basis: Administration BC_A S_RZL_ADM Authorization object for R/3 System administration using the Computing Center Management System
Basis: Administration BC_A S_CTS_ADMI Administration functions in the Change and Transport System
Basis: Administration BC_A S_USER_AGR The authorization object is used to protect the roles. Roles are used to combine users in groups and to assign them different attributes, in particular transactions and authorization profiles.
Basis: Administration BC_A S_USER_VAL "This authorization object allows you to restrict the values an administrator is allowed to add or change for a role in the Profile Generator.
The authorization object refers to all field values except the values of the object S_TCODE."
Basis: Administration BC_A S_USER_TCD Authorization objects control the transactions that system administrators can assign to a role, as well as the transactions for which they can assign transaction code authorization.
Basis: Administration BC_A S_USER_AUT "Authorization object, which is checked during authorization maintenance. (In Tcodes SU03 and SU02)
Basis: Administration BC_A S_USER_OBJ You use the authorization object to protect access to globally switching off authorization objects. The system checks the object if you choose Save or Activate in the transaction for switching off authorization objects (auth_switch_objects).
Basis: Administration BC_A S_USER_PRO User Master Maintenance: Authorization Profile
Basis: Administration BC_A S_USER_GRP User Master Maintenance: User Groups
Basis: Administration BC_A S_USER_SYS User Master Maintenance: System for Central User Maintenance (CUA)
Basis: Administration BC_A S_USER_SAS User Master Maintenance: System-Specific Assignments
Basis: Administration BC_A S_BTCH_ADM Background Processing: Background Administrator
Basis: Administration BC_A S_TABU_DIS Table Maintenance (via standard tools such as SM30)
Basis: Administration BC_A S_TABU_CLI Cross-Client Table Maintenance
Human Resources HR PLOG Personnel Planning
I deactivated or restricted these objects...and think this would be an acceptable solution.
Just also created a Customizing Display only role...which seem to work find..
cheers
Davy Pelssers -
SUIM security-audit checklist....
hello, i found a check list SAP security-auditing in SUIM. i searched some of them in internet but my mind confused.
i think it can be very helpful checklist for people working in SAP security-auditing.
if you have time, can you tell me please what these reports mean? with 1-2 sentences.
( i know they are a bit much but i think it can be realy good source for people wants to work in SAP security- auditing like me.)
Thank you very much
Regards..
SUIM--->>>>
1) S_TCODE = SM36,Authorization Object 1: S_BTCH_ADM = Y; Authorization Object 2: S_BTCH_JOB = * for Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only
2) S_TCODE = SM37; Authorization Object 1: S_BTCH_JOB JOBACTION = *; Additional selection criteria – Unlocked users only
3) S_TCODE = SM35; Authorization Object 2: S_BDC_MON1=*, Additional selection criteria – Unlocked users only
4) S_TCODE = SE18; Additional selection criteria – Unlocked users only
5) S_TCODE = SE19; Additional selection criteria – Unlocked users only
6) S_TCODE = SM69; Authorization Object 1: S_RZL_ADM= 01; Additional selection criteria – Unlocked users only
7) S_TCODE =SM49; Authorization object1: S_LOG_COM, COMMAND Value: #*; POSYSTEM Value: #*; R/3 Value: #* additional selection criteria: unlocked users only
8) Authorization object 1: S_RFC; RFC_TYPE: FUGR; RFC_NAME: #*; activity: 08; additional selection criteria: unlocked users only
9) S_TCODE = SECR;” “authorization object1: S_IMG_ACTV, Project no: 900; ACTVT = 02; IMG Value = #*” “authorization object2: S_PRO_AUTH Project no: 900 ACTVT: 03” “additional selection criteria: unlocked users only
10) S_TCODE=SU01: Additional selection criteria – Unlocked users only
11) S_TCODE=SU01; 2: Authorization object 1: S_USER_AUT; ACTVT Value=03 or 08” Additional selection criteria – Unlocked users only
12) S_TCODE=SU02; Additional selection criteria – Unlocked users only
13) S_TCODE=SU03; Additional selection criteria – Unlocked users only
14) S_TCODE=SU10; Additional selection criteria – Unlocked users only
15) S_TCODE=RZ10; Authorization object 1: S_DATASET, ACTVT Value = *; Authorization object 2: S_RZL_ADM ACTVT Value = 01 or 03; Additional selection criteria – Unlocked users only.
16) S_TCODE =SE16; Authorization object1: S_TABU_DIS, Authorization group = SC, ACTVT =02; Additional selection criteria: unlocked users only
17) S_TCODE = SNRO; authorization object1: S_NUMBER, Value = #*, ACTVT = 01, 02, 11; 3: Additional selection criteria – Unlocked users only
18) S_TCODE = SCC4; authorization object1: S_TABU_DIS Table Maintenance (via standard tools such as SM30), ACTVT = 01, 02, 03; authorization group = SS; Additional selection criteria – Unlocked users only
19) Authorization object 1:S_ADMI_FCD, Value: SP01 or SPOR; authorization object 2: S_SPO_ACT Value = ATTR (change attributes of protected spool request) or BASE (see protected spool requests in the output controller [determine whether the spool request exists], display request attributes) and DELE (delete request manually) or REPR (output protected spool request more than once); authorization object 3: S_TMS_ACT (Actions on TemSe objects); STMSOWNER Value = GRP (external TemSe objects in own) or OWN (own TemSe objects) authorization object 3 = S_TMS_ACT: Additional selection criteria – Unlocked users only
20) S_TCODE = SCCL; authorization object 1: S_CLNT_IMP, Activity = 21, 60; authorization object 2: S_TABU_CLI, Cross Client Indicator = #*; Additional selection criteria – Unlocked users only
21) S_TCODE = SCCL; authorization object 1: S_CLNT_IMP, Activity = 21, 60; authorization object 2: S_TABU_CLI, Cross Client Indicator = #*; Additional selection criteria – Unlocked users only
22) S_TCODE =SM31;” “authorization object 1: S_TABU_DIS, ACTVY =01,” authorization object 2: “S_TABU_CLI CLIIDMAINT =x”: “additional selection criteria: unlocked users only
23) S_TCODE =SM30;” “authorization object 1: S_TABU_DIS, ACTVY =01 or ACTVY =02,” authorization object 2: “S_TCODE =S_TABU_CLI, CLIIDMAINT =x”: “additional selection criteria: unlocked users only
24) Authorization object 1: “S_TCODE =SA38 or SE38;” “2: authorization object S_PROGRAM Value =SUBMIT: “additional selection criteria: unlocked users only
25) S_TCODE =SA38 or SE38;” “2: authorization object S_PROGRAM Value =SUBMIT: “additional selection criteria: unlocked users only.
26) Authorization object 1: S_TRANSPRT Value = 43
27) S_TCODE = SE01; authorization object 1: S_TRANSPRT Value:1, 2; authorization object 2: S_DATASET Actvt: 06,33,34
28) S_TCODE = SE03; authorization object 1: S_TRANSPRT Value: 06,43 ; authorization object 2: S_CTS_ADMI Value: TABL
29) S_TCODE = SE10; authorization object 1: S_TRANSPRT Value: 01, 02; authorization object 2: S_DATASET Value: 06, 33, 34.
30) S_TCODE = SCC4; authorization object 1: S_CLNT_IMP Value: 21, 60: Additional selection criteria – Unlocked users only
31) S_TCODE: SM12; authorization object 1: S_C_FUNCT Value = *; activity value = 16; authorization object 2: S_ENQUE; S_ENQ_ACT Value = *.i want to learn what all these authorization objetcs stand for. 1,2,3,4... because each one asks a different report..
for example, lets talk about first one.
1) SUIM----> S_TCODE = SM36,Authorization Object 1: S_BTCH_ADM = Y; Authorization Object 2: S_BTCH_JOB = * for Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only
in this report. why does it ask this? what does it mean to to choose S_BTCH_ADM to Y ,S_BTCH_JOB, to * and choosing ..or Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only..
i wonder this. why is this report it important and what does it ask?
Thank you for your messages. -
I am trying to determine why transaction in Fixed Assets, S_ALR_87099918, is asking for authorizaation to the transport management system.
> S_ADMI_FCD and S_CTS_ADMI are critical transaction codes.
These are Not TCode. These are Authorization Objects and of course critical. For more details, please go through the documenation of them in SU21 under BC_A objects class.
They are inserted in a role and has complete authorizations ( i.e '*' for all the fields) but the role is not assinged any T-codes. Since the role does not have any tcodes , Is it ok to have like this or is it against audit policies.
>
It's of course get importance to the auditors in production system if you assign the values as you told. But more critical scenario appears if this role is assigned to an user having access to this Objects through any other role.
Regards,
Dipanjan
Maybe you are looking for
-
Sir, I would like to use the SUM function in summing the intervals like this statement: SELECT DATE_VALUE, DAY_NAME , SUM(CAST(TIME_OUT as time) - CAST(TIME_IN as time)), EMPLOYEE_ID FROM [table name] WHERE [where clause] GROUP BY DATE_VALUE, DAY_NAM
-
Cannot add accounts in empathy when logged in as normal user
When I attempt to add an account in Empathy in GNOME, via F4, I am unable to add accounts - the add button, no matter what account type I use, quite simply does nothing. More interestingly, when I run it as root from a console, it works fine; an erro
-
Hello, My library approaches the 25,000 songs limit from iTunes match mainly because I have a lot of custom mixes with loads of different tracks. On those songs there are some that I would like iTunes match to ignore. But I still want to keep them in
-
Working/Join with Two Reports field
Hey Folks, I have read couple of post and kind of confused. I have two reports and each have their column total at the bottom(Sum). Now on my first report i have to add my first report col1_total+second report col1_total and get my grand total. SO, m
-
While video chatting one-on-one the quality is great, but when video chatting with two or three people the video quality drops like crazy. No matter how small I make the window the images of the people with whom I'm chatting is super pixilated, and I